Add hooks for CreateWindowEx*, calls to these functions can result in…

… over 50 other API calls that clutter up the registry summary and confuse beginner analysts
spender-sandbox · Nov 10, 2014 · 3e4f081 · 3e4f081
1 parent 05060e8
commit 3e4f081
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 0 deletions.
diff --git a/cuckoomon.c b/cuckoomon.c
@@ -178,6 +178,8 @@ static hook_t g_hooks[] = {
     // Window Hooks
     //
 
+	HOOK(user32, CreateWindowExA),
+	HOOK(user32, CreateWindowExW),
     HOOK(user32, FindWindowA),
     HOOK(user32, FindWindowW),
     HOOK(user32, FindWindowExA),

diff --git a/hook_window.c b/hook_window.c
@@ -100,3 +100,59 @@ HOOKDEF(BOOL, WINAPI, EnumWindows,
     LOQ_bool("windows", "");
     return ret;
 }
+
+HOOKDEF(HWND, WINAPI, CreateWindowExA,
+	__in DWORD dwExStyle,
+	__in_opt LPCSTR lpClassName,
+	__in_opt LPCSTR lpWindowName,
+	__in DWORD dwStyle,
+	__in int x,
+	__in int y,
+	__in int nWidth,
+	__in int nHeight,
+	__in_opt HWND hWndParent,
+	__in_opt HMENU hMenu,
+	__in_opt HINSTANCE hInstance,
+	__in_opt LPVOID lpParam
+) {
+	HWND ret = Old_CreateWindowExA(dwExStyle, lpClassName,
+		lpWindowName, dwStyle, x, y, nWidth, nHeight,
+		hWndParent, hMenu, hInstance, lpParam);
+	// lpClassName can be one of the predefined window controls.. which lay in
+	// the 0..ffff range
+	if (((DWORD_PTR)lpClassName & 0xffff) == (DWORD_PTR)lpClassName) {
+		LOQ_nonnull("windows", "ls", "ClassName", lpClassName, "WindowName", lpWindowName);
+	}
+	else {
+		LOQ_nonnull("windows", "ss", "ClassName", lpClassName, "WindowName", lpWindowName);
+	}
+	return ret;
+}
+
+HOOKDEF(HWND, WINAPI, CreateWindowExW,
+	__in DWORD dwExStyle,
+	__in_opt LPWSTR lpClassName,
+	__in_opt LPWSTR lpWindowName,
+	__in DWORD dwStyle,
+	__in int x,
+	__in int y,
+	__in int nWidth,
+	__in int nHeight,
+	__in_opt HWND hWndParent,
+	__in_opt HMENU hMenu,
+	__in_opt HINSTANCE hInstance,
+	__in_opt LPVOID lpParam
+) {
+	HWND ret = Old_CreateWindowExW(dwExStyle, lpClassName,
+		lpWindowName, dwStyle, x, y, nWidth, nHeight,
+		hWndParent, hMenu, hInstance, lpParam);
+	// lpClassName can be one of the predefined window controls.. which lay in
+	// the 0..ffff range
+	if (((DWORD_PTR)lpClassName & 0xffff) == (DWORD_PTR)lpClassName) {
+		LOQ_nonnull("windows", "lu", "ClassName", lpClassName, "WindowName", lpWindowName);
+	}
+	else {
+		LOQ_nonnull("windows", "uu", "ClassName", lpClassName, "WindowName", lpWindowName);
+	}
+	return ret;
+}
diff --git a/hooks.h b/hooks.h
@@ -562,6 +562,36 @@ extern HOOKDEF(NTSTATUS, WINAPI, NtSaveKeyEx,
 // Window Hooks
 //
 
+extern HOOKDEF(HWND, WINAPI, CreateWindowExA,
+	__in DWORD dwExStyle,
+	__in_opt LPCSTR lpClassName,
+	__in_opt LPCSTR lpWindowName,
+	__in DWORD dwStyle,
+	__in int x,
+	__in int y,
+	__in int nWidth,
+	__in int nHeight,
+	__in_opt HWND hWndParent,
+	__in_opt HMENU hMenu,
+	__in_opt HINSTANCE hInstance,
+	__in_opt LPVOID lpParam
+);
+
+extern HOOKDEF(HWND, WINAPI, CreateWindowExW,
+	__in DWORD dwExStyle,
+	__in_opt LPWSTR lpClassName,
+	__in_opt LPWSTR lpWindowName,
+	__in DWORD dwStyle,
+	__in int x,
+	__in int y,
+	__in int nWidth,
+	__in int nHeight,
+	__in_opt HWND hWndParent,
+	__in_opt HMENU hMenu,
+	__in_opt HINSTANCE hInstance,
+	__in_opt LPVOID lpParam
+);
+
 extern HOOKDEF(HWND, WINAPI, FindWindowA,
     __in_opt  LPCTSTR lpClassName,
     __in_opt  LPCTSTR lpWindowName